DNS CAA Record Adoption – Scanner and Results

The CAB forum members have voted and are in favor of making the CAA Checking Mandatory. All CAs (Certificate Authorities) will need to comply with the CAA (Certificate Authority Authorization) verification by September 2017.

The details are described in RFC 6844 – Abstract:

The Certification Authority Authorization (CAA) DNS Resource Record

allows a DNS domain name holder to specify one or more Certification

Authorities (CAs) authorized to issue certificates for that domain.

CAA Resource Records allow a public Certification Authority to

implement additional controls to reduce the risk of unintended

certificate mis-issue. This document defines the syntax of the CAA

record and rules for processing CAA records by certificate issuers.

This announcement made me curious about to what degree top HTTPS sites have opt’d into this by including CAA resource records for their properties…

I put together a simple scanner that queries the DNS records for each of the HTTPS ready Alexa Top 1 million sites. [Update] Code is now available on github

I did an initial scan totaling ~670k DNS records, resulting in ~0.05% having CAA resource records.

Given the low percentage of adoption, I am curious to observe how this changes over time. To that end, I’ve setup the scan to run periodically and post the results to @CAA_bot on twitter. Follow the account if you’re interested in being updated on progress.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s